hMailServer by default allows any authenticated user to send email messages from any account, this might be a security risks. Especially if someone's account password is compromised or hijjacked and spammers are abusing your mailserver. Below you'll find three scripts that can be placed in hMailServer's EventHandlers.vbs

The first one allow only messages from the authenticated user domain, eg: in the username is info@domain.com it also is allowed to send messages from postmaster@domain.com

Limitation(s):

No domain alias or account alias checking

Sub OnSMTPData(oClient, oMessage)
' denies any mail not sent from the authenticated domain
On Error Resume Next
If oClient.Username <> "" And oMessage.FromAddress <> "" Then
Dim authemail, fromemail
authemail = Split(oClient.Username,"@")(1)
fromemail = Split(oMessage.FromAddress,"@")(1)
If LCase(authemail) <> LCase(fromemail) Then
Result.Value = 2
Result.Message = "BLOCKED: You are only allowed to send from your own domain."
EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not using authenticated user domain, eg: " & authemail)
End If
End If
Err.Clear
On error goto 0
End Sub

This second one allow only messages from the authenticated user user, eg: If the username is info@domain.com it only is allowed to send messages from info@domain.com

Limitation(s):

No domain alias or account alias checking

Sub OnSMTPData(oClient, oMessage)
' denies any mail not sent from the authenticated account
On Error Resume Next
If oClient.Username <> "" Then
If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
Result.Value = 2
Result.Message = "BLOCKED: You are only allowed to send from your own account."
EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not is authenticated user , eg: " & oClient.Username)
End If
End If
Err.Clear
On error goto 0
End Sub

This third script is the most advanced one, it also checks for domain aliases and account aliases

Limitation(s):

You cannot send e-mail from an alias of another alias that is linked to your account

Sub OnSMTPData(oClient, oMessage)
' denies any mail not sent from the authenticated account or alias
On Error Resume Next
If oClient.Username <> "" Then
If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
Dim obBaseApp
Set obBaseApp = CreateObject("hMailServer.Application")
Call obBaseApp.Authenticate("Administrator","***************") 'PUT YOUR PASSWORD HERE
Dim StrClientDomain, StrFromDomain, StrFromAddress
StrClientDomain = Split(oClient.Username,"@")(1)
StrFromDomain = Split(oMessage.FromAddress,"@")(1)
Dim obDomain
Set obDomain = obBaseApp.Domains.ItemByName(StrClientDomain)
Dim obAliases
Dim obAlias
Dim AliasFound : AliasFound = False
If LCase(StrClientDomain) <> LCase(StrFromDomain) Then
Set obAliases = obDomain.DomainAliases
For iAliases = 0 To (obAliases.Count - 1)
Set obAlias = obAliases.Item(iAliases)
If LCase(obAlias.AliasName) = LCase(StrFromDomain) Then
AliasFound = True
Exit For
End If
Next
If AliasFound Then
StrFromAddress = Split(oMessage.FromAddress,"@")(0) + "@" + StrClientDomain
End If
Else
StrFromAddress = oMessage.FromAddress
AliasFound = True
End If
If LCase(oClient.Username) <> LCase(StrFromAddress) Then
If AliasFound Then
Set obAliases = obDomain.Aliases
AliasFound = False
For iAliases = 0 To (obAliases.Count - 1)
Set obAlias = obAliases.Item(iAliases)
If (obAlias.Active) And (LCase(obAlias.Name) = LCase(StrFromAddress)) And (LCase(obAlias.Value) = LCase(oClient.UserName)) Then
AliasFound = True
Exit For
End If
Next
End If
If Not AliasFound Then
Result.Value = 2
Result.Message = "BLOCKED: You are only allowed to send from your own account or any of its aliases."
EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not is authenticated user or alias , eg: " & oClient.Username)
End If
End If
End If
End If
Err.Clear
On error goto 0
End Sub